Data Protection Act Penalties

Since 2010 the Information Commissioner has been able to issue monetary penalties of up to £500,000 where there has been a serious contravention of the data protection principles in the Data Protection Act 1998 (the “Act”). Recent cases involving Data Protection Act penalties have again highlighted the need for organisations to implement and adhere to a strong data protection policy.

A monetary penalty may be issued if the Information Commissioner is satisfied that:

• there has been a serious contravention of the data protection principles under the Act;

• the contravention was likely to cause substantial damage or distress; and

• the contravention was deliberate OR the data controller ought to have known that there was a risk that the data protection principles would be contravened and such contravention would be likely to cause substantial damage or distress yet they failed to take reasonable steps to prevent the breach.

Recent monetary penalties

Monetary penalties have been issued to numerous councils and other public bodies where sensitive personal data relating to children or other vulnerable individuals has been lost or erroneously sent to the wrong person. However, private companies are by no means exempt from monetary penalties.

Prudential Assurance Company Limited was fined £50,000 for contravention of the duty to ensure personal data is kept up to date and accurate. Two customer records were merged on their database which resulted in financial information being erroneously sent to each customer and the funds of a pension policy belonging to Customer A being transferred by Customer B.

Welcome Financial Services Limited was fined £150,000 for losing two tapes which held the personal data of customers such as names, addresses and telephone numbers and data relating to current and former employees such as bank account details, CVs and national insurance information. Welcome had failed to take appropriate technical and organisational measures to prevent the loss and unauthorised processing of personal data. The tapes were unencrypted despite there being a policy in place stating that the tapes should be encrypted, and other appropriate IT security measures had not been implemented.

What is clear from these cases is that companies should review their data protection policies to reduce the risk of breaching the data protection principles under the Act and incurring a monetary penalty, or often more damaging, suffering the discomfiture of an adverse finding under the Act.

Issues to consider include:

• Do you have a data protection policy in place? Is it enforced?

• Have staff who handle personal data been provided with sufficient training to ensure compliance with the Act?

• How is your personal data stored? Is it encrypted and is any data stored on a web server protected by sufficient security?

• What measures are in place to prevent personal data accidentally being sent to the wrong person?

• When personal data is destroyed is it done so securely?

• Customer and employee information both constitute personal data so be sure to assess the security and processing of both these types of information.

Edwin Coe is a high-quality, commercial law firm with expertise in specific practice areas and industry sectors. The firm provides tailored and integrated services to both UK and international clients.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now